CGF Articles & Editorials
COMBINED ASSURANCE: IS YOUR ORGANISATION ADEQUATELY ASSURED? (2019-10-01)
By Glen Talbot(CA) SA, Travers Cape (CA)SA and peer viewed by Jené Palmer CA(SA): CGF Lead Independent Consultants
If we have both internal and external auditors, we have combined assurance, right? Wrong!
For the board of directors to claim that they have discharged their obligations to implement a Combined Assurance Model requires much more than just the appointment of internal and external auditors.
As a director (executive or non-executive), can you confidently answer the following questions:
- Do you have a clear picture of your organisational structure? This includes the legal entity structure of the organisation (or group of companies) as well as the operational structures including business units, divisions and departments.
- Do you have a clear understanding of the business processes being engaged by the various entities and business areas within your organisation?
- Has your organisation identified and assessed its key risks (strategic and operational) which impact the business processes?
- Do you know what lines of defense have been applied to mitigate these business risks?
- Are you satisfied that the lines of defense collectively provide adequate comfort to your stakeholders that the organisation’s control environment is being optimally managed?
Lines of defense
King III referred to three (3) lines of defense, however, King IV™ has expanded this concept to include six (6) lines of defense as depicted below:
King III (2009)
King IV™ (2016)
|The organisation’s line functions that own and manage risks
|The organisation’s specialist functions that facilitate and oversee risk management and compliance
Internal assurance providers
|Internal auditors, internal forensic fraud examiners and auditors, safety and process assessors and statutory actuaries
External assurance providers
|Independent external assurance service providers such as external auditors
|Other external assurance providers such as sustainability and environmental auditors, external actuaries and external forensic fraud examiners and auditors
Defining Combined Assurance
Many boards appear to grapple with the meaning of the term “Combined Assurance” and see it as something which is delegated (relegated) to the finance department. Simply put: “Combined” refers to the combination of all the assurance providers as set out in the six lines of defense; and “Assurance” refers to the level of confidence derived from the work performed by various assurance providers.
King IV™ defines “assurance” as: “The diligent application of mind to evidence, resulting in a statement or declaration concerning an identified subject matter or subject matter information, and that is made for the purpose of enhancing confidence in that subject matter or subject matter information”.
It therefore stands to reason that the objective of a Combined Assurance Model is to provide comfort to stakeholders that an effective control environment is in place to address key business risks arising from business processes, including “non-finance” related business processes such as outsourced IT services.
King IV™ defines a “Combined Assurance Model” as one which : “incorporates and optimises all assurance services and functions so that taken as a whole, these enable an effective control environment; support the integrity of information used for internal decision-making by management, the governing body and its committees; and support the integrity of the organisation’s external reports”.
Whilst the above appears quite daunting, the Combined Assurance Model recognises that organisations are constrained by limited resources and that it is not practical, nor desirable, for all lines of defense to provide assurance on all “subject matter or subject matter information”. The key to achieving the best possible level of assurance within defined cost constraints lies in:
- establishing and approving a comprehensive risk register which forms the foundation for determining which business risks need to be mitigated;
- identifying the different assurance providers and mapping the coverage they provide in respect of the risks contained in the risk register; and
- using the Combined Assurance Mapping to identify gaps in assurance as well as areas where there is a duplication of effort (and costs).
Key role players
The board (as the governing body) is ultimately accountable for ensuring that an effective and efficient system of internal controls is designed and implemented within the organisation. In many instances, the board will delegate this responsibility to the audit committee who will approve a Combined Assurance Framework and oversee that the outcomes of the Combined Assurance Model provide adequate comfort that the organisation’s control environment is effective and that it underpins the integrity of the organisation’s internal and external reporting.
By leveraging the Combined Assurance Model to achieve an optimal level of assurance, the board can realise the following tangible business benefits:
- renewed focus on business and operations;
- enhanced risk management;
- better coordination of efforts between internal and external assurance providers with those of management to optimise assurance coverage;
- reduced costs through the elimination of unnecessary duplication of assurance efforts;
- improved integrity of the organisation’s internal and external reporting;
- improved tracking of remedial actions; and
- improved organisational credibility and reputation.
Full disclosure of the application of the Combined Assurance Model in the Annual Integrated Report will underpin the implementation of a Corporate Governance Framework® and demonstrate the board’s commitment to good corporate governance.
To simply state in the Annual Integrated Report that “we adopt a combined assurance approach” is simply not sufficient. In compliance with governance best practice and in order to provide stakeholders with a good understanding of how the organisation applies the principles of Combined Assurance, the following information should as a minimum, be disclosed in the Annual Integrated Report:
- the process of risk management; and
- information about the organisation’s implementation of its Combined Assurance Model, including details of the overall assurance measures, providers and reports obtained to verify and substantiate the integrity of internal and external reports relied on by stakeholders for decision-making.
The Combined Assurance Model can help to reduce siloed thinking within an organisation and force an integrated approach to developing and implementing an effective control environment. It promotes a shared understanding of risk and control information and will enable the board to confidently assess whether controls are really addressing critical business risks.
For further information contact:
CGF Research Institute (Pty) Ltd - Tel: +27 (11) 476 8264 / Web: www.cgfresearch.co.za
Glen Talbot (CGF Lead Independent Consultant) - Cell: 082 545 4425 / E-mail: firstname.lastname@example.org
Travers Cape (CGF Lead Independent Consultant) - Cell: 082 816 7841 / E-mail: email@example.com
Jené Palmer (Lead Independent Consultant) - Cell: 082 903 6757 / E-mail: firstname.lastname@example.org
Follow CGF on Twitter: @CGFResearch
Click below to read more...